You’ve probably heard the modern adage that “it’s not a matter of if your organization will experience a data breach, but when.” Ill-intentioned hackers across the globe are looking for ways to get rich quick by defrauding organizations. And those organizations’ most valuable assets—people—frequently fall prey to such criminals. With cyber insurance, you’ll be better positioned to mitigate the impacts of a cybersecurity incident.
You may be thinking, “if a data breach is inevitable, what’s the point of attempting to be secure?” Or you may think this insurance isn’t relevant to your industry and the data you manage. But the truth is: cyber insurance coverage is relevant to most organizations and data types, and it makes a significant difference in the event of a cybersecurity incident.
Organizations should adopt a two-factor approach: securing your organization and mitigating extra risk through cyber insurance. You need to do both, plan for a breach and protect yourself. Just because you have auto insurance, doesn’t mean you drive recklessly.
There are three reasons all businesses should care about and consider cyber insurance coverage:
1. Cybercriminals are after all types of data.
Cybercriminals find value in almost everything. A recent cyber claims study indicates the following data is at risk:
As you can see, personal information like Social Security Numbers, birthdates, bank account information, credit card information and addresses are highly sought after. Cybercriminals’ main goal is usually identity theft of individuals and businesses. However, nearly every day brings news of cyberattacks of all kinds, even aimless attacks like “Zoombombing.”
You may be surprised to learn the black-market value of various types of data. For example, a recent webinar we conducted discussed that identities could be worth $14 to $18 each. If your data includes dozens or hundreds of individuals’ personally identifiable information, that adds up and is incentive enough for a hacker. Other examples include:
Learn more about how cybersecurity and risk relate to protecting your customer and employees’ personal information.
2. Recovering from a cybercrime is expensive.
The cost of a cybersecurity incident could be in the low hundreds to millions of dollars, according to the cyber claims study. And, as our webinar points out, managing the impact of a cybercrime can get expensive in a hurry.
First, you’ll need incident response and forensic analysis to discover what data was lost. Then, you must handle any mandatory notifications and reports. Further, you’ll likely need to manage public relations and your reputation, and you may lose customers or have diminished customer acquisition rates. On top of that, expect costs associated with counsel and litigation.
For an idea of how this breaks out, the average breach cost was nearly $604,000 in 2018. This average consisted of expenses related to crisis services ($307,000), legal defense ($106,000) and legal settlements ($224,000). Crisis services includes forensics, credit monitoring, notifications, legal guidance/breach coaches and other related expenses.
Calculate the potential cost of a breach to your company’s data using eRiskHub’s sample data breach calculator.
3. Nearly all industries are at risk for cybercrime.
When it comes to cybercrime, small and large businesses of all industries are at risk. Cybercriminals find just as much value in attacking small companies with thousands of dollars available as they do in penetrating large, million-dollar companies. In fact, according to the cyber claims study, 49% of the time, the primary targets are businesses with under $50 million in annual revenue. Companies with less than $2 billion in revenue accounted for 85% of the insurance claims.
This trend is partially due to the expected vulnerabilities of smaller companies. Hackers can assume that smaller companies have fewer protective measures in place, and they can assume similar trends based on industry. For instance, hackers target industrial companies because they tend to have less invested in their security and valuable intellectual property at their fingertips.
The National Cyber Security Alliance found that 1 in 5 small businesses fall victim to cyber crime and 60% of those go out of business within six months (Victor O Schinnerer & Co).
The following industries reported the most incidents for insurance claim purposes:
As you can see, cybercrime has an impact on all industries and involves all data types, and it gets expensive quickly. That’s why cyber insurance needs to be part of your mitigation strategy.
With that understanding, what else should be part of your mitigation strategy? And what should you look for in your cyber insurance coverage?
Cybercriminals have stepped up their phishing, spoofing and social engineering game and made it more difficult to distinguish fraud from reality. They’re working hard to deceive others using nefarious business email addresses and ransomware. External threats attempt to penetrate your organization daily, and the criminals’ plan often involves compromising people and computer networks.
Some of the most common sources of cybersecurity incidents are hackers, malware, lost or stolen devices, mistakes made by staff, paper records and rogue employees. And humans tend to be the weakest links, unwittingly opening doors for cybercriminals. Even if you have well-executed plans for cybersecurity, there’s always a chance of an incident. As mentioned above, cybercrime insurance coverage is worth considering as part of mitigating and offsetting accepted risks and cybersecurity liability. But what other tools should you use to mitigate your cybersecurity risks?
Organizations of all sizes have considered the following tools in the past several years:
Proactive cybersecurity assessments identify weaknesses and opportunities to strengthen your network. And formal incident response plans help companies to respond quickly and effectively—critical factors in the event of a breach or attack. However, you must spread cybersecurity awareness and train your staff to recognize suspicious activity to prevent the biggest vulnerability of all: human error.
Even if you have cyber insurance, you may not know what is and isn’t covered in your policy. For example, do you know if you have cyber liability business interruption and/or crisis management coverage? Many organizations only learn that their policies don’t match their needs when it’s already too late.
This includes factors like the type of data you have and what value it holds, notification requirements you must comply with and specific risks others in your industry have reported. Revisit the list of common expenses associated with a cybersecurity incident. If you can foresee those costs, you can select cyber coverage to mitigate them.
That will depend on your provider and your choices. There are many options:
Other cyber-specific coverages can include:
The cyber insurance industry is booming right now, but it isn’t standardized yet. Not all providers offer the same services or the same level of service, so you want to make sure you choose a provider that can meet all of your needs. If you work with a credible advisor, they can help you understand coverage limitations and other important factors for different providers.
Be sure to do your homework before you approach your preferred provider. Underwriters will do a “wellness check” of your organization. They’re interested in those elements you’ve likely already addressed in your cybersecurity planning:
You’ll also want to have discussions with your insurance contact regarding:
Today, the cyber insurance market is growing as more industries move toward purchasing coverage as part of risk mitigation. The 2018 survey found that news of cyber-related losses was the No. 1 driver of businesses purchasing cyber insurance. Other motivating factors include experiences of cyber-related losses and requirements by third parties, such as a customer. As more businesses purchase cyber insurance, the overall cost of coverage is going down and is now even more accessible to smaller businesses.
Your business produces and operates using data, so it’s imperative you keep that information secure. The goal of your organization should be to identify, implement and execute methods to protect that data. This should include both proactive and reactive strategies, as well as insurance to mitigate the inevitable.
See what more we can bring to organizations just like yours.Construction & Real Estate Healthcare Critical Access Hospitals Health Systems Medical Practices Senior Living Dealerships